Trusted by 7 of the Largest Financial FirmsTrusted by 4 of the Top Telco ProvidersTrusted by 8 of the Largest RetailersTrusted by 6 of the Leading Global Tech CompaniesTrusted by 7 of the Leading Travel & Transportation Groups

Resources

Get to know us better! Gain valuable insights into how we think by visiting our blog, or take a look at the industry events we're frequenting on our events page. You can also geek out with us by attending one of our security management webinars, or dive head first into the products and solutions we provide in our Resource Library. There's lots to keep you busy!

Threat Hunting? Ditch the SIEM - Part 2

In Part 1, we built the case that SIEMs are ineffective for threat hunting, based on the following reasons:

Too slow

Too dumb

Don’t scale

Don’t provide the right visibility

Too costly

To date, SIEM vendors have not provided the market with the functions needed for producing world-class threat hunting. Again, threat hunting is a method. In order to follow this method, we have to have tools that accelerate and amplify our human work, rather than using technologies that brush aside our method in favor of operating within their paradigm. Too many threat hunting programs are sputtering because we continue to believe that the method should conform to the technology, but that gets things backwards.

What we need for threat hunting is:

Real-time analysis

Parsing-free ingest

Cost-effective data storage

Open-ended search

Big Data scale

Self-defined indicators of compromise, based on evidence within the data

SIEMs have become a high-priced data store for logs and compliance. Analysis is woefully absent. I am asked often, “How is FireMon’s Immediate Insight different from SIEM?” Let me explain how.

First, we begin with recognizing that the human brain is the best analytics engine in the known universe. Immediate Insight makes the human more effective at working with data to detect the unknown and hunt for threats.

Each aspect of Immediate Insight is built with this belief in mind.

Natural Language ExtractionUsing NLE, we can tokenize every portion of a dataset without any need for parsing. This is precisely how Google has indexed the vast Internet without prior knowledge of the content it consumes. These are Big Data principles, and the security challenge is a Big Data challenge.

Open-Ended SearchUsing Immediate Insight, hunters do not have to conform to a query language or closed restrictions – just type what you want to find. Most start with a known indicator of compromise (you subscribe to dozens of them). Immediate Insight finds those IOCs in your network, but goes beyond that with associative analytics mapping the relationships of entities, users, destinations, machines and chatter connected to that IOC.

Second, hunters create their own self-defined IOCs by leveraging their neural tissue. If I see A in this quantity, B in this quantity, C in this quantity, that is an 80% probability of an early indication of compromise. No one else gives hunters that flexibility.

Metadata EnrichmentImmediate Insight applies new attributes to data that it didn’t have when ingested. Let’s take an IP for example. A string of numbers and dots doesn’t really tell us much, but when you add metadata to it (e.g. geo-location, reputation, users associated, CMDB details, and so on), you can get more information about that entity, AND expand its relationships. The data comes to life.

Not Another Data StoreImmediate Insight is your analysis engine, not another data store (e.g., SIEM). Immediate Insight makes use of the data you have already collected to ensure you can hunt effectively within that data. Many organizations are building Big Data Lakes via Hadoop and use Immediate Insight as the analysis that sits atop such a data store. You don’t need another repository and another meter running for data warehousing.

ScaleImmediate Insight’s underlying technology is Elasticsearch, and right there in the name is our scale function – elastic. Deploying Immediate Insight into islands or federated clusters is simple - literally 5-10 minutes for set up - which gives hunters the free time needed for hunting instead of appeasing another cranky app.

In this two-part diatribe, I have made the case that SIEMs are glorified databases for a security context, that analysis must start with the human in mind, that solutions must scale to meet the demands of evolving tactics, techniques, and procedures (TTPs) of adversaries, and that a more appropriate way forward is applying Big Data principles to threat hunting.

At FireMon, we unapologetically believe the human is the most essential part of any security program. We want humans to have frictionless ways to work with data, be more productive, secure their environments, and apply their own methods to their tools. Immediate Insight is the fastest, best way to have world-class threat hunting – because it welcomes the hunting method, rather than forcing conformity to a high-priced database.

Related Articles:

Events

Webinars

Traditional security models are all about the current state – but in the current state of cyber-security, by the time new rules are written, they’re obsolete. Resources have changed, topologies have shifted, traffic has evolved, and applications grew new arms and legs.

Most organizations that I talk to still have their networks designed for 90's era attacks. A hard perimeter and little to nothing on the inside. The one common exception is the part of the network that processes credit card data since PCI DSS specifically identifies the Cardholder Data Network (CDN) and requires controls around it.

Join David Monahan, managing research director at leading IT analyst firm Enterprise Management Associates (EMA), and discover the difference between organizations using an SPOA solution to manage their firewall environments versus those not using one of these solutions.

Using Security Policy And Automation (SPOA) Tools To Reduce The Attack Surface

Attack surfaces have expanded greatly in the past several years, in part because of the amount of new applications coming online via Internet of Things and increasingly connected technology. Organizations have an admittedly tough time keeping up with all the new touchpoints and the rapid expansion of the attack surface. Complete defense is nearly impossible, and many companies struggle with visibility issues, mismatched or misaligned firewall policies, and an inability to comprehensively test the security configurations they do have

Cloud technology gives enterprises faster application deployment, instant storage, workload versatility and pricing models that decrease initial capital investment. It is no wonder enterprises are making the move to the cloud.

Migrations run the risk of cost overrun, delays and disruption of network service - often due to a lack of personnel and process to efficiently and effectively manage. To ensure a successful migration, consider these four key factors: 1) identifying and removing technical mistakes, 2) removing unused access, 3) refining and organizing what remains and 4) continuous, real-time monitoring.

Network Security Policy Management (NSPM) continues to be a difficult practice for organizations the world over. In the last 20 years, network security policies (e.g. firewall rules) have grown by more than 3,500%. Yes, you read that number correctly. Why is that?

Gartner research has uncovered a number of security policy challenges for enterprises. Among these challenges are the typical assessments necessary to fortify policy for compliance and improved security posture.

Welcome to the world of overflowing regulations and compliance standards, of evolving infrastructure and the ever-present breach. It's a world where 72% of security and compliance personnel say their jobs are more difficult today than just two years ago.

Firewall technology has come a long way since its initial, most rudimentary forms. Next-Generation Firewalls (NGFW) are the latest development, and organizations are accelerating adoption to the new technology. But NGFWs aren’t a fix-all solution.

Forrester’s Zero Trust Model of information security helps teams develop robust prevention, detection and incident response capabilities to protect their company's vital digital business ecosystem. This report will help security pros understand the technologies best suited to empowering and extending their Zero Trust initiatives and will detail how Forrester sees this model and framework growing and evolving.

The customer sought a data analysis tool to correlate application data with network and security data to spot service-impacting anomalies. They did not have an accurate picture of interoperability between applications and the underlying infrastructure.

This national insurance provider had three problems to tackle regarding their firewall policies. First, the number of rules under management was overwhelming staff and processes. They needed to increase visibility and effectiveness of their firewall change request/workflow ticketing process. And they also need help maintaining compliance PCI DSS requirements.

Each time this Global MSP engaged a new customer, they had to onboard the firewalls – sometimes hundreds per engagement – into their network. Part of the onboarding process required assessing the policies against internal best practices – a manual, line-by-line process that took an average of 16 hours/firewall and was extremely error-prone.